Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"
you're one of the rarest groups of all the fish in the pond, so to speak, per-se.
Most of us like companies that patch vulnerabilities much faster/make browsers that are standards compliant, both from a legal perspective (meaning our employers are happier -not for me personally), and also from a safety/update perspective.
IE 5 was great, but MS making IE5 great and taking the market lead seems to have given them the idea that they could implement their own features all on their own and make everyone conform to their standards, which they are still doing now. The thing is the way Internet explorer implemented a lot of features gave a lot of things that just couldn't be easily done or done at all until HTML5 was actually adopted. The problem there is that HTML 5 took forever. Evolution of the web by its own standards committee has been gruelingly slow and the massive amount of garbage that has come out in-between and the amount of junk included in HTML 5 itself is astounding. Even if you could say some new features submitted are great there is just so much overlapping of features it's hard to tell what is the best way to do anything now. Do you write a site with canvas and hope people using IE will install chrome frame? Do you write two versions of the same site, one using "standard" HTML 5/XML Namespaces/SVG/Canvas and one using whatever Microsoft developed 5 years ago to achieve the same thing but in the Microsoft way? Speaking of SVG, the Adobe SVG plugin for IE can't read modern SVG files and the google SVG to flash translator breaks if you use any other new web technology with it (xlink for example). And don't even get me started on how terrible Flash is, it's just depressing. Java web launch? Has anybody even heard of it? How many general PC users even have the Java plug-in properly installed (I'm betting 3 year old can count that high)? The internet sucks and it sucks in two different directions: the "anything goes and we'll do whatever we want Microsoft direction" and the "we'll do everything you want but we'll fight about how to do it for 5 years, then never actually call the standard finalized so we can just arbitrarily change it and if any browser developers complain we'll just tell them they shouldn't have implemented it if it wasn't finalized" W3C/Gecko/Webkit/Opera direction.
Maybe we should just start over completely. Make a new standard that doesn't rely on the rigid and inflexible concept of tags and use a scripting language and have a standard API. Leave HTML for TEXT formatting, and return it back to a document formatting language, leaving dynamic content to a totally separate system....
But really, no one should throw stones, right? As a kid, I was always taught that it's not nice to throw stones at people.
Unless of course, you were trapped in a glass house and needed to get out. If you have a pile of stones next to you, go ahead and throw them. Then you won't be trapped anymore!
So really, people in glass houses are the only ones who should throw stones. Right?
By running this plugin, you would be exposing yourself to not only Possible IE exploits, but possible Chrome Exploits as well. It would be much safer to run the Chrome browser standalone since it reduces the attack surface. It would probably be faster standalone too.
I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.
Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/ [chromeplugins.org].
Microsoft Says Google Chrome Frame Makes IE Less Secure
Of course they do! Disregard the fact that they provide no evidence at all, and that they use this:
Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts.
as an argument to prove their point (???), but really, this is Googles way of taking over the MS userbase as explained here [slashdot.org], and MS knows it. If Google wave becomes a hit, people will remember this move as the first important joust won by Google. IE with its crippled javascript hopes to prevent the popularity of Google wave by using scorched earth policy. [wikipedia.org]
They make a valid point. IE has holes. Chrome has holes. IE with a Chrome plugin can be exploited by both vectors. There should be no debate over the fact that IE+Chrome is less secure than IE without Chrome. That is distracting from the real question, however, which is whether IE without Chrome is less secure than Chrome without IE.
I read a fantastic interview with one of the lead IE developers as they were prepping the launch of IE 7. He said his daughter came home from school one day and asked him if he was responsible for breaking the web.
In the interview, he seemed to imply the current IE team feels guilty and responsible for previous versions being so poor in standards compliance, and that the new developers were pushing to make IE more complaint in the future.
Technically, they have succeeded. IE 7 and 8 are more complaint. They still however are not very compliant on the whole.
So yes, they have families. And even their beloved daughters call them out for IE's problems.
Well, technically, they may be right. It does lead to more attack surface, and many plugins have permissions the browser doesn't allow itself. And Microsoft product security has increased, to the point where I'm fairly confident that the security risks of their Javascript interpreter are comparable with other major browsers. And unless Google *forces* updates to the plugin, security patches will never be applied; few people run Windows Update, but even fewer update non-MS products.
Of course, those arguments mostly argue for rejecting the *plugin*. *Replacing* IE8 with Chrome (or your browser of choice) means you have only one program's attack surface to worry about again. I'm guessing this is the unspoken part of MS's argument.
Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
So yes, microsoft is right, but rather missing the point... If you're using a chrome frame, you're probably not using IE frames, which means that you're as secure as WebKit's security flaws.
Why you'd do that rather than just using chrome I have no idea though.
Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
It's also true for any plug in you use in IE. I'm curious if MS would say the same about Flash, Java, etc? Because they all introduce their own security problems in IE in a similar way as Chrome Frame. The fact that MS is singling out Chrome Frame says more about how MS feels about Google than it does about the security of their browser.
Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.
It can be as simple as using https://mail.google.com/
"Given the security issues with plugins in general and Google Chrome in particular"
O RLY?
I'm happy to believe that IE8 actually has a good security model. I'm happy to believe that Chrome is not without flaws. But, really, Google have gone through fairly considerable pain and implemented quite strict sandboxing techniques for Chrome, to contain any problems in the renderer. It's pretty solid. Maybe it's better than IE8, maybe not. But just hand waving and going "Oh yes, *especially* Chrome" as if it's common knowledge that it's insecure is simply FUD.
The point about increasing the attack surface area seems more valid, perhaps, though it really depends on how this plugin works. If there are really twice as many places available at once then yes, that is a worry. If you'd have to get through Chrome's security and then through IE8's security, that actually sounds quite good. Possibly the biggest security worry I see is in encouraging users to think that installing a large, scary plugin that basically replaces the guts of their browser is a normal occurrence that will make their internet experience better.
I'm happy to believe that IE8 actually has a good security model.
And I thought that included sandboxing plugins? How can any plugin be a serious security threat with MS went through such pains to make IE bulletproof?
They not only add the.Net plugin to Firefox without asking you, they change the useragent string for Firefox... oh and the.Net plugin doesn't have a built-in uninstaller like every other plugin.
a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night.
Dancing Developers?? Get back to developing webs, like you're supposed to be doing! Didn't anybody tell you that you are no good at dancing?
This is not a risk we would recommend our friends and families take.
Especially the children. Think of the children!
He should have used "mortal danger" instead of simply "risk". Also, change "would recommend" for "let". And add some exclamations, for god's sake, this is serious.
Thus, the closing sentence should be: "This is not a mortal danger we let our children take!"
However, once you've decided to push factless crap with fear mongering, at least do it with style.
I recommend: "If you allow your children to install the google demon, your entire family will suffer an eternity of pain, in HELL!"
"This is not a risk we would recommend our friends and families take." The Microsoft representative further stated that "Allowing your children to use the Google Chrome Frame plugin is tantamount to child abuse. In fact, we're not so sure that anyone installing this is truly capable of feeling love. What kind of heartless monster would willingly install this on their loved ones' browser?"
I heard about this but I wasn't going to install it yet. I don't use a lot of I.E. stuff, but what I do is Javascript intensive, so now that I know that your don't like it at Microsoft I have now installed it. Thanks for the heads up... since you don't like it there must be a reason to give it a look.
So Microsoft, how does it feel? How does it feel to have a big bad company with a near monopoly in one market (Google in search) threaten your stake in a different market (browsers)?
Well of course Microsoft "doesn't recommend" their friends and family use the Chrome plugin. If they did, next thing you know their friends and family are down at the T-Mobile shop eying Android phones, or over at the Apple Store snapping up an iPhone. As long as those friends and family are only exposed to Microsoft products, they'll never realize that the grass, indeed, really is greener on the other side of that fence - because those other guys actually feed and water their lawn!
kettle/black (Score:5, Funny)
Re:kettle/black (Score:5, Insightful)
I know. Ho hum. Someone tell Microsoft to wake me up when they get around to actually making a decent browser. How many years has it been? 13 years?
Parent
Re:kettle/black (Score:5, Insightful)
Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.
Great, that happened *ten* years ago [wikipedia.org]. What has happened since? They've been chasing the Fox for past *five* years.
Parent
Re:kettle/black (Score:5, Insightful)
you're one of the rarest groups of all the fish in the pond, so to speak, per-se.
Most of us like companies that patch vulnerabilities much faster/make browsers that are standards compliant, both from a legal perspective (meaning our employers are happier -not for me personally), and also from a safety/update perspective.
Parent
Re:kettle/black (Score:5, Informative)
Maybe we should just start over completely. Make a new standard that doesn't rely on the rigid and inflexible concept of tags and use a scripting language and have a standard API. Leave HTML for TEXT formatting, and return it back to a document formatting language, leaving dynamic content to a totally separate system....
Parent
Re:kettle/black (Score:5, Interesting)
gee, and it really helps your case when the Microsoft rep on the HTML5 was one of the key people delaying the standard, isn't it?
Parent
Re:kettle/black (Score:5, Funny)
Parent
Re:kettle/black (Score:4, Funny)
Wrong. People in glass houses shouldn't undress.
Parent
Re:kettle/black (Score:5, Funny)
Even if that person is Bree Olson?
Gah, knew I shouldn't have googled her at work.
Parent
Re:kettle/black (Score:5, Funny)
You misspelled "ogled."
Parent
Re:kettle/black (Score:5, Funny)
Making IE less secure is like making water more wet.
Parent
Actually MS is right. (Score:5, Insightful)
By running this plugin, you would be exposing yourself to not only Possible IE exploits, but possible Chrome Exploits as well. It would be much safer to run the Chrome browser standalone since it reduces the attack surface. It would probably be faster standalone too.
Parent
Re:Actually MS is right. (Score:5, Informative)
+1.
I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.
Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/ [chromeplugins.org].
Parent
Re:kettle/black (Score:5, Insightful)
Microsoft Says Google Chrome Frame Makes IE Less Secure
Of course they do! Disregard the fact that they provide no evidence at all, and that they use this:
Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts.
as an argument to prove their point (???), but really, this is Googles way of taking over the MS userbase as explained here [slashdot.org], and MS knows it. If Google wave becomes a hit, people will remember this move as the first important joust won by Google. IE with its crippled javascript hopes to prevent the popularity of Google wave by using scorched earth policy. [wikipedia.org]
Parent
Re:kettle/black (Score:5, Insightful)
Parent
Friends? (Score:5, Funny)
Friends don't let friends use Internet Explorer anyway.
Re:Friends? (Score:5, Funny)
'This is not a risk we would recommend our friends and families take.'
They have friends, much less family?
Parent
Re:Friends? (Score:5, Interesting)
I read a fantastic interview with one of the lead IE developers as they were prepping the launch of IE 7. He said his daughter came home from school one day and asked him if he was responsible for breaking the web.
In the interview, he seemed to imply the current IE team feels guilty and responsible for previous versions being so poor in standards compliance, and that the new developers were pushing to make IE more complaint in the future.
Technically, they have succeeded. IE 7 and 8 are more complaint. They still however are not very compliant on the whole.
So yes, they have families. And even their beloved daughters call them out for IE's problems.
Parent
Re:Friends? (Score:5, Funny)
...the new developers were pushing to make IE more complaint in the future.
Technically, they have succeeded. IE 7 and 8 are more complaint.
Feel the delicious irony from an incorrect vowel transposition!
Parent
Re:Friends? (Score:5, Funny)
I find the lack of mention of children and terrorists disturbing.
Parent
Well yes (Score:5, Funny)
Ofcourse it makes it less secure, it lets you run Javascript faster, so that all those drive-by malware installers can execute faster!
Re:Well yes (Score:5, Insightful)
Parent
Well they would say that wouldn't they (Score:5, Informative)
Re:Well they would say that wouldn't they (Score:5, Funny)
Parent
Re:Well they would say that wouldn't they (Score:5, Insightful)
Parent
Security issues with Google Chrome? (Score:4, Insightful)
Dear Microsoft:
Citation please. Evidence. Facts. Or retract.
'k thanks,
Google
Re:Security issues with Google Chrome? (Score:5, Interesting)
Well, technically, they may be right. It does lead to more attack surface, and many plugins have permissions the browser doesn't allow itself. And Microsoft product security has increased, to the point where I'm fairly confident that the security risks of their Javascript interpreter are comparable with other major browsers. And unless Google *forces* updates to the plugin, security patches will never be applied; few people run Windows Update, but even fewer update non-MS products.
Of course, those arguments mostly argue for rejecting the *plugin*. *Replacing* IE8 with Chrome (or your browser of choice) means you have only one program's attack surface to worry about again. I'm guessing this is the unspoken part of MS's argument.
Parent
Re:Security issues with Google Chrome? (Score:5, Informative)
Citation please.
http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php [readwriteweb.com]
http://news.cnet.com/8301-1009_3-10226578-83.html [cnet.com]
Parent
Re:Security issues with Google Chrome? (Score:5, Insightful)
Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
So yes, microsoft is right, but rather missing the point... If you're using a chrome frame, you're probably not using IE frames, which means that you're as secure as WebKit's security flaws.
Why you'd do that rather than just using chrome I have no idea though.
Parent
Re:Security issues with Google Chrome? (Score:5, Insightful)
Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
It's also true for any plug in you use in IE. I'm curious if MS would say the same about Flash, Java, etc? Because they all introduce their own security problems in IE in a similar way as Chrome Frame. The fact that MS is singling out Chrome Frame says more about how MS feels about Google than it does about the security of their browser.
Parent
Re:Security issues with Google Chrome? (Score:5, Insightful)
Parent
Re:Security issues with Google Chrome? (Score:5, Funny)
News: Vulnerability in google chrome
News: Vulnerability in Mozilla Firefox
News: Some part of Internet explorer is safe!
See? :)
Parent
Re:Security issues with Google Chrome? (Score:5, Insightful)
Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.
It can be as simple as using https://mail.google.com/
Parent
I agree (Score:5, Insightful)
. . . which is why one should run Firefox, konqueror, Mozilla, or Opera on Linux, Solaris, or BSD instead.
It's alright (Score:5, Funny)
Of course (Score:5, Insightful)
In other news, Microsoft has said that Moores Law is a security risk, because viruses can install themselves twice as fast every 18 months.
Thanks (Score:5, Insightful)
You just made one of the most important arguments against Silverlight official.
Re:Thanks (Score:5, Funny)
Not only an argument directly from Microsoft against Silverlight but also against Flash!
Why is Microsoft helping us like that?
Parent
Textbook FUD (Score:5, Interesting)
"Given the security issues with plugins in general and Google Chrome in particular"
O RLY?
I'm happy to believe that IE8 actually has a good security model. I'm happy to believe that Chrome is not without flaws. But, really, Google have gone through fairly considerable pain and implemented quite strict sandboxing techniques for Chrome, to contain any problems in the renderer. It's pretty solid. Maybe it's better than IE8, maybe not. But just hand waving and going "Oh yes, *especially* Chrome" as if it's common knowledge that it's insecure is simply FUD.
The point about increasing the attack surface area seems more valid, perhaps, though it really depends on how this plugin works. If there are really twice as many places available at once then yes, that is a worry. If you'd have to get through Chrome's security and then through IE8's security, that actually sounds quite good. Possibly the biggest security worry I see is in encouraging users to think that installing a large, scary plugin that basically replaces the guts of their browser is a normal occurrence that will make their internet experience better.
Re:Textbook FUD (Score:5, Insightful)
I'm happy to believe that IE8 actually has a good security model.
And I thought that included sandboxing plugins? How can any plugin be a serious security threat with MS went through such pains to make IE bulletproof?
Parent
Double Standards (Score:5, Insightful)
So... forcing the .NET plug-in on Firefox users was OK, but a voluntary add-on from Google is a security risk? Good to know.
Re:Double Standards (Score:5, Informative)
I thought I had a virus the first time I noticed it. http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html [washingtonpost.com]
Parent
Ingrates! (Score:4, Funny)
a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night.
Dancing Developers?? Get back to developing webs, like you're supposed to be doing! Didn't anybody tell you that you are no good at dancing?
Families (Score:5, Funny)
This is not a risk we would recommend our friends and families take.
Especially the children. Think of the children!
He should have used "mortal danger" instead of simply "risk". Also, change "would recommend" for "let". And add some exclamations, for god's sake, this is serious.
Thus, the closing sentence should be:
"This is not a mortal danger we let our children take!"
However, once you've decided to push factless crap with fear mongering, at least do it with style.
I recommend:
"If you allow your children to install the google demon, your entire family will suffer an eternity of pain, in HELL!"
My family disowned me after I installed it. (Score:4, Funny)
Thanks Microsoft... (Score:5, Interesting)
I heard about this but I wasn't going to install it yet. I don't use a lot of I.E. stuff, but what I do is Javascript intensive, so now that I know that your don't like it at Microsoft I have now installed it. Thanks for the heads up... since you don't like it there must be a reason to give it a look.
Sounds to me that Microsoft... (Score:5, Insightful)
So Microsoft, how does it feel? How does it feel to have a big bad company with a near monopoly in one market (Google in search) threaten your stake in a different market (browsers)?
I have great respect for Google (Score:4, Funny)
But I doubt that even they could make IE less secure than it already is.
Friends and family (Score:4, Insightful)
Well of course Microsoft "doesn't recommend" their friends and family use the Chrome plugin. If they did, next thing you know their friends and family are down at the T-Mobile shop eying Android phones, or over at the Apple Store snapping up an iPhone. As long as those friends and family are only exposed to Microsoft products, they'll never realize that the grass, indeed, really is greener on the other side of that fence - because those other guys actually feed and water their lawn!
Re:I'm Taking Notes (Score:4, Funny)
Parent